Mydoom.M

Effects

Mydoom.M has the following effects:

It installs a dynamic link library (DLL) that opens TCP port 1042 and listens to it, thus behaving as a backdoor. By doing so, it allows hackers to remotely access the affected computer in order to carry out actions that would compromise users confidentiality or impede normal work.

It ends any process containing any of the text strings below:avp., avp32, intrena, mcafe, navapw, navw3, norton, reged, taskmg and taskmo.These strings are related to antivirus programs and system monitoring tools. By ending these processes, the affected computer is left vulnerable to the attack of other malware.

Infection strategy

Mydoom.M creates the following files in the Windows directory:

LSASS.EXE. This file is a copy of the worm.

A text file with a random name and a TXT extension in the Windows temporary directory. Mydoom.M uses this file in order to carry out its actions.

Means of transmission

It reaches the computer in an e-mail message with variable characteristics:

Sender:Mydoom.M spoofs the e-mail address from which it is sent. This may cause confusion. For further information, click here.It can also add any of the following texts to the spoofed address:"Automatic Email Delivery Software""Bounced mail""Mail Delivery Subsystem""MAILER-DAEMON""Post Office""Returned mail""The Post Office""Mail Administrator""Postmaster"MAILER-DAEMONnoreplypostmaster

Subject: it can be one of the following:click me baby, one more timedelivery failedDelivery reports about your e-mailerrorhelloreportsay helo to my litl friendstatus

Message: it can be blank, an illegible set of characters or any of the following:Message 1:The original message was received atfrom[]

Your message was not delivered because the destination computer wasnot reachable within the allowed queue period. The amount of timea message is queued before it is returned depends on local configura-tion parameters.

Most likely there is a network problem that prevented delivery, butit is also possible that the computer is turned off, or does nothave a mail system running right now.

Your message was not delivered within 7 days:Hostis not responding.

The following recipients did not receive this message:

Please reply toif you feel this message to be in error.

Message 4:Message could not be delivered

Message 5:The original message was included as attachment

Attachments: the file name is variable, and has a random extension:Possible file names: it can be a random file name, or one of the following: ATTACHMENT, DOCUMENT, FILE, LETTER, MAIL, MESSAGE, README, TEXT, TRANSCRIPT.Possible extensions: BAT, CMD, COM, EXE, PIF, SCR, ZIP.

The computer is affected when the attached file is run.

Mydoom.M searches for e-mail addresses in files that have the following extensions: DOC, HTM, HTML and TXT.

Mydoom.M sends itself out to all the addresses it has gathered and to all the contacts in the Windows Address Book, using its own SMTP engine.In order to do so, it attempts to open an SMTP session and connect to possible mail servers, which it compounds with the mail domain of the recipient.

However, it does not send itself to the addresses that have the following characteristics:

It creates copies of itself in directories containing any of the following text strings: download, ftproot, incoming, shar. By doing so, it attempts to copy itself in those shared directories of file sharing programs.

Other users of these programs can access the shared directories and download these files to their computers, thinking that they are useful computer programs. However, these users will actually download a copy of the worm.

When the downloaded file is run, these computers will be affected by Mydoom.M.

Further Details

Mydoom.M is around 33 KBytes in size. The DLL installed is 8,776 bytes in size and it is compressed with UPX.

Mydoom.M creates the mutex jmydoat%smtx, in order to prevent two copies of the worm from being run at the same time.

ARE YOU FACING ANY PC OR INTERNET RELATED PROBLEMS? FREE SUPPORT INCLUDED. CALL US 24/7